vpn-instance policy deny
Use vpn-instance policy deny to enter user role VPN instance policy view.
Use undo vpn-instance policy deny to restore the default user role VPN instance policy.
Syntax
vpn-instance policy deny
undo vpn-instance policy deny
Default
A user role has access to all VPN instances.
Views
User role view
Predefined user roles
network-admin
mdc-admin
Usage guidelines
To restrict the VPN instance access of a user role to only a set of VPN instances, perform the following tasks:
Use vpn-instance policy deny to enter user role VPN instance policy view.
Use permit vpn-instance to specify accessible VPN instances.
![[NOTE: ]](images/note.png)
NOTE:
The vpn-instance policy deny command denies the access of the user role to all VPN instances if the permit vpn-instance command is not configured.
To configure a VPN instance, make sure the VPN instance is permitted by the user role VPN instance policy in use. You can perform the following tasks on an accessible VPN instance:
Create, remove, or configure the VPN instance.
Enter the VPN instance view.
Specify the VPN instance in feature commands.
Any change to a user role VPN instance policy takes effect only on users who log in with the user role after the change.
Examples
# Enter user role VPN instance policy view of role1, and deny the access of user role role1 to all VPN instances.
<Sysname> system-view [Sysname] role name role1 [Sysname-role-role1] vpn-instance policy deny [Sysname-role-role1-vpnpolicy] quit
# Enter user role VPN instance policy view of role1, and deny the access of user role role1 to all VPN instances except vpn2.
<Sysname> system-view [Sysname] role name role1 [Sysname-role-role1] vpn-instance policy deny [Sysname-role-role1-vpnpolicy] permit vpn-instance vpn2
Related commands
display role
permit vpn-instance
role